Exchange 2007 Administrative Roles

Posted on November 29th, 2008 in Excahnge 2007, Microsoft by Gil Kreslavsky
  • Exchange View Only Administrator – Gives users or groups the ability to view the Exchange organization and server configuration. Mailbox administrators required this role in order to
    enumerate Exchange server names, storage groups, and mailbox store
    names.
  • Exchange Administrator – Gives users or groups the ability to manage (create/change/delete)
    Exchange objects at either the organization level or within a specific
    administrative group, depending on where the role was delegated.
  • Exchange Full Administrator – Gives users or groups all of the permissions that an Exchange
    Administrator has but also the ability to change permissions on objects.

The Exchange View-Only Administrators
role allows an administrator to view the Exchange configuration, but they cannot make any changes.
The Exchange Recipient Administrator role has the permissions to modify Exchange-related
properties of mail-enabled objects such as users, contacts, and groups. This information would
include information such as e-mail addresses, home server, Client Access server, and Unified
Messaging. This permission includes only read and write permissions to Exchange properties
for objects found in the Users container in each domain in which the Exchange 2007 Prepare-
Domain process has been run. For additional management permissions, an administrator
would have to be delegated Active Directory permissions to manage objects in an OU, given
membership in the Account Operators group, or be a member of Domain Admins. If a user or
group is delegated the Exchange Recipient Administrators, that user or group will have these
permissions for the entire organization.

The Exchange Public Folder Administrator role provides permissions to manage the public
folder hierarchy and public folder properties. This permission is new to Exchange 2007 Service
Pack 1.

The Exchange Server Administrator role can be delegated permissions to one or more
individual Exchange 2007 servers regardless of the roles that server maintains. Someone with
these permissions can manage any configuration data for that particular server, has the
Exchange View Only Administrators role, and will be made a member of the computer’s local
Administrators group. This role allows medium and large organizations to delegate
permissions for Exchange management more precisely.

Exchange Organization Administrator role provides the permissions necessary to
manage the organization wide properties of Exchange 2007 including connectors, accepted
e-mail domains, transport rules, Unified Messaging properties, ActiveSync policies, managed
folders, messaging records management policies, and managing global settings. This role is by
far the most powerful of the five Exchange 2007 roles.

Exchange 2007 Toolbox Work Center

Posted on November 29th, 2008 in Excahnge 2007, Microsoft by Gil Kreslavsky

The Toolbox work center that is found in the Exchange 2007 EMC is a new concept for Exchange
management tools. The Toolbox work center from a default installation of Exchange 2007

The tools that are found in the Toolbox are not directly integrated with the Exchange
Management Console; instead, the Toolbox provides links to external tools. As new or updated
tools are released by Microsoft, the Toolbox can be updated. The following tools are found in
the Toolbox:

  • The very popular Exchange Best Practices Analyzer (BPA) tool analyzes your Exchange
    configuration and makes recommendations for configuration and security improvements
    based on Microsoft and industry best practices.
  • The Details Templates Editor allows you to edit templates that the user sees from within
    Outlook, such as User and Contact. This feature is new to Exchange Server 2007 Service
    Pack 1.
  • The Public Folder Management Console allows you to manage public folder properties
    from a graphical user interface rather than the Exchange Management Shell; this feature
    is new to Exchange Server 2007 Service Pack 1.
  • The Database Recovery Management tool helps guide you through the process of
    performing disaster recoveries of various server roles.
  • The Database Troubleshooter tool helps you to determine why mailbox databases will not
    mount or why transaction log files will not replay.
  • The Mail Flow Troubleshooter helps to diagnose problems relating to messages being
    transferred between Mailbox, Hub Transport, and Edge Transport servers.
  • The Message Tracking tool allows you to track a message’s progress through an Exchange
    organization and see which Exchange components have processed the message.
  • The Queue Viewer allows you to view the message queues on Hub Transport servers.
  • Routing Log Viewer is a new utility that lets you view the message routing logs to help
    with troubleshooting site, routing group, server, address space, and Send connector
    configurations.
  • The Performance Monitor tool is aWindows tool that helps analyze and troubleshoot
    Windows’s performance.When you launch the tool from the EMC Toolbox work center, it
    includes common performance counters related to Exchange servers.
  • The Performance Troubleshooter analyzes a server, looks at common factors that could
    hurt performance— such as memory and disk configuration — and makes
    recommendations to improve them.

Troubleshooting common system management issues in VMware ESX Infrastructure

Posted on November 26th, 2008 in ESX Server, VMware by Gil Kreslavsky

________________________________________________________________________________

1003926

Troubleshooting the VMware VirtualCenter Server service when it does
not start or fails

________________________________________________________________________________

1003895

Stopping, starting, or restarting the VirtualCenter Server service

________________________________________________________________________________

1003928

Troubleshooting the database data source used by VirtualCenter Server

________________________________________________________________________________

1003971

Determining if a port is in use

________________________________________________________________________________

1003979

Investigating the health of a VirtualCenter database server

________________________________________________________________________________

1003996

Investigating Active Directory when it causes the VirtualCenter Server
to stop or fail to start

________________________________________________________________________________

1003684

Overview of migration compatibility error messages

________________________________________________________________________________

1003718

Troubleshooting VMotion CPU feature requirement error messages

________________________________________________________________________________

1004070

Diagnosing why VirtualCenter is not sending email alerts

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003409

Diagnosing an ESX Server that is Disconnected or Not Responding in
VirtualCenter

________________________________________________________________________________

1003480

Changing an ESX Server’s connection status in VirtualCenter

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003487

Testing port connectivity with the Telnet command

________________________________________________________________________________

1003494

Verifying that the Management Service is running on an ESX host

________________________________________________________________________________

1003495

Verifying that the VirtualCenter Agent Service is running on an ESX host

________________________________________________________________________________

1003490

Restarting the Management agents on an ESX Server

________________________________________________________________________________

1003496

Checking for resource starvation of the ESX Server service console

________________________________________________________________________________

1004002

Diagnosing slow deployment of templates or clones from VirtualCenter

________________________________________________________________________________

1004028

Troubleshooting slow template deployment on a single template

________________________________________________________________________________

1003496

Checking for resource starvation of the ESX Server service console

________________________________________________________________________________

1004089

Configuring the speed and duplex of an ESX Server host network adapter

________________________________________________________________________________

1004050

Troubleshooting template deployment or cloning when it fails

________________________________________________________________________________

1005593

Determining the correct version of sysprep to use

________________________________________________________________________________

1005594

Ensuring VirtualCenter Server is the only VMware product installed on
host

________________________________________________________________________________

1005870

Ensuring the guest operating system type is set correctly

________________________________________________________________________________

1003870

Diagnosing the Virtual Infrastructure Client when it fails to connect
to an ESX host

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003494

Verifying that the Management Service is running on an ESX host

________________________________________________________________________________

1003487

Testing port connectivity with the Telnet command

________________________________________________________________________________

1003887

Troubleshooting permissions errors when connecting to an ESX Server
host with the Virtual Infrastructure client

________________________________________________________________________________

1003869

Diagnosing the Virtual Infrastructure Client when it fails to connect
to VirtualCenter

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003895

Stopping, starting, or restarting the VirtualCenter Server service

________________________________________________________________________________

1003487

Testing port connectivity with the Telnet command

________________________________________________________________________________

1003561

Troubleshooting the VMware ESX Server Management Service when it will
not start

________________________________________________________________________________

1003631

Restarting the ESX Server Management service

________________________________________________________________________________

1003564

Investigating disk space on an ESX host

________________________________________________________________________________

1003634

Troubleshooting the firewall policy on an ESX Server

________________________________________________________________________________

1003496

Checking for resource starvation of the ESX Server service console

________________________________________________________________________________

1003807

Unable to connect to an ESX Server host using Secure Shell (SSH)

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003906

Verifying that the Secure Shell Daemon is running on an ESX Server host

________________________________________________________________________________

8375637

Enabling Root SSH Logins on ESX Server 3

________________________________________________________________________________

1003808

Configuring the ESX Server host firewall for SSH

________________________________________________________________________________

1003487

Testing port connectivity with the Telnet command

________________________________________________________________________________

1003691

Diagnosing a VMware High Availability cluster configuration failure

________________________________________________________________________________

1003692

Verifying a feature is licensed

________________________________________________________________________________

1003735

Identifying issues with and setting up name resolution on ESX Server

________________________________________________________________________________

1003713

Configuring name resolution for VMware VirtualCenter

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003714

Verifying and reinstalling the correct version of VMware VirtualCenter
Server agent

________________________________________________________________________________

1003734

Diagnosing VMware VMotion failure at 10%

________________________________________________________________________________

1002662

Unable to set VMkernel gateway as there are no VMkernel interfaces on
the same network

________________________________________________________________________________

1003728

Testing VMkernel network connectivity with the vmkping command

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1003735

Identifying issues with and setting up name resolution on ESX Server

________________________________________________________________________________

1003736

Verifying time synchronization across environment

________________________________________________________________________________

1003791

VMware VMotion fails if target host does not meet reservation
requirements

________________________________________________________________________________

1003496

Checking for resource starvation of the ESX Server service console

________________________________________________________________________________

1003780

Troubleshooting migration compatibility error: Device is a connected
device with a remote backing

________________________________________________________________________________

1003839

Troubleshooting Virtual Machine loses network connection after VMware
VMotion

________________________________________________________________________________

1003486

Testing network connectivity with the Ping command

________________________________________________________________________________

1002811

Port security on the physical switch causes a loss of network
connectivity

________________________________________________________________________________

1003792

Diagnosing VMware VMotion failure at 90-95%

________________________________________________________________________________

1003490

Restarting the Management agents on an ESX Server

________________________________________________________________________________

1003736

Verifying time synchronization across environment

________________________________________________________________________________

1003791

VMware VMotion fails if target host does not meet reservation
requirements

________________________________________________________________________________

1003496

Checking for resource starvation of the ESX Server service console

________________________________________________________________________________

1003659

Identifying shared storage issues with ESX 3.x

________________________________________________________________________________
Brought to you by VMwarewolf.com VMware and Virtualization Technical Discussions

VMware ESX 3.x VC 2.x Comand Line Interface (CLI)

Posted on November 25th, 2008 in ESX Server, VMware by Gil Kreslavsky

ESX 3 x and VC 2 x

ESX 3.x and VC 2.x Introduction Purpose of this guide This guide is designed for people who already know ESX 3.x and VC 2.x quite well. Although it starts as a beginners guide initially, it pretty rapidly starts to assume very good knowledge of the system. I would recommend you get to grips with the GUI first, and feel comfortable with Vi-3 before attempting this guide. That said – you might be wanting to carry out a discrete procedure from the command-line. So feel free to dip in – find what your looking for and then – dip out again! _ It is not a comprehensive guide to ALL the commands – just the primary ones. I hope to make this guide gradually more comprehensive, and cover all new commands that useful. I’ve deliberately not covered every single esxcfg command – because not all of them are terrifically useful… There are some big topics that I have yet to add to this guide – this includes setting NTP and Active Directory authentication for the Service Console Please email at the email address at the beginning of this document if spot any errors Where possible – I don’t use the VI Client. I only use the VI client if there is no other way – even if the VI client is easier. The reasoning behind this force the use of the command-line. Perhaps I should state why using the command-line might be useful… • Automation of tasks? • Er, because everything else is broken – and login in at the ESX host at the Service Console is your only option • Because sometimes its quicker (sometimes it’s quicker using the mouse too…!) • Because like Everest, it is there! But I prefer the mouse? • Then this guide isn’t for you… Choose File, and close… _ But seriously, what are commands – only words that carry out instructions Who in Windows hasn’t used the net use or net servicename stop/start command? I grew up on DOS/Windows3.x/Novell – a mix of GUI and commands. For which I am very grateful. I am happy in both environments. Although I do find myself swearing when commands refuse to work, but that said I also swear at Windows just as much – perhaps like Pete from Big Brother have “Tourettes Syndrome”. God knows when ever I watch Big Brother I feel uncontrollable the urge/need/desire to shout “wankers” at the top of my voice… Hopefully this guide will reduce the amount of swearing you do at computers. You must remember – they can’t hear or understand your profanities – and talking to inanimate objects is usually the first stage of madness… • • • Anyway, I digress – I’ve noticed as the GUI grew to dominate our environments – my command-line skills took a hit. If you don’t use it, you loose it – as the saying goes. I don’t intend my skills to be eroded by a little mouse. Of course they could be equally eroded by the keyboard. Hardware • I use a 192.168.2.x range on my network with 192.168.2.101 for esx1, 192.168.2.102 for esx2. My DNS server is 192.168.2.200. All IP’s here are just example from my network range – replace with your own • This guide assumes you have at least 2 servers with 2CPU’s at 1.4mgz each • 2GB of RAM • 2×36GB Hard Drives (SCSI Internal) • 4x Network Cards (production in a bond, vmotion and Service Console eth0) • This is the specification of my server an old Dell 1650 PowerEdge using PIII processors! • My hardware isn’t officially supported by VMware anymore. Anyway it still runs. But at some point I am going to buy two DL380, and re-use this hardware as my VC box and a NAS box… • I have VC set-up with a SQL Database. The layout of my VC looks like this before the upgrade: • Page 1 of 17 ESX 3.x and VC 2.x Two Servers, Two Virtual Machine Groups (for me and my mate, Trevor) The domain name is rtfmed.co.uk lavericm-admin – is the VC Administrator set at Server Farms instructor – is a Virtual Machine Admin from the RTFM Farm (used when I teach with my hardware) baverstockt – is a Virtual Machine User with rights only for Trevor’s VMs Group Software • In my case VC Server 2.x and SQL 2000 (SP3) all runs on Windows 2003 with Service Pack 1. This was the most current release of Windows at the time of writing this document • Warning: As ever my documents are released as is and without warranty Hardware & Software As we at the Service Console – you don’t really need to have exactly what I have but it would help to have what I have or better Conventions in this Guide I use PuTTy to get Service Console sessions I use nano rather than vi to edit and save files – mainly because I’m no Linux guru, and I find nano more user friendly. Vi text editor is popular in the Linux community because it pretty much standard amongst every Linux distribution. Don’t let anyone make you feel an idiot or small because you use nano. As long as you can successful manage the system that’s all that counts in my book. Linux people, do NOT flame me on the merits of using VI. I will absolute NOT respond! _ • Any Major titles marked with Red indicates this section is broken, released as is, and I intend to return to fix it. But got bored banging my head against a brick wall. _ • IMPORTANT: To have your command-line changes reflected in the VI Client you must restart the hostd service on the ESX host. You can do this by using service mgmt-vmware restart Change Log from 1.1 to 1.2 • None Module 1: Users and Rights Note: • In most case your rights will be governed by VirtualCenter and Active Directory • However, at the Service Console the account database that’s used is local to the Service Console • After an upgrade of ESX from 2.x to 3.x – root does have rights to connect remotely using SSH. • After a clean installation – the default is that root has no remote access via SSH. This to enforce traceability. User must logon as underprivileged users and elevate the rights to root. This change in rights is logged in /var/log/messages • The easiest way to create a normal user for use with PuTTy would be the VI Client. You can point it at the ESX host and use the “User & Groups” tab to create a new user Page 2 of 17 ESX 3.x and VC 2.x Creating a New User 1. Logon at the Service Console as ROOT (physical or ILO) 2. Type:| useradd lavericm-admin –p ******** Elevating yourself to ROOT 1. Logon at the Service Console as your user account 2. Type su Note: This Switches User and assumes root, unless otherwise specified. The – takes roots environmental settings (very important if you want to run any commands properly) 3. Type the password for root Note: You can also use a tool called sudo. This allows you to logon as an underprivileged user, and run commands with the ID of a privileged user Disabling Auditing on ROOT (Not Recommended) Note: • Some applications do not support levitation to a higher plain – for example WinSCP. Sure you could use WinSCP to gain access as an ordinary user, but then you might lack permission to copy the files you need. If you try to logon as root, WinSCP will give you access denied. • If you wish to disable the restriction on ROOT not being allowed direct access using SSH then carry out the following task. I wouldn’t recommend doing this as you will loose enforcement of your audit trail. 1. nano –w /etc/ssh/sshd_config 2. Locate: PermitRootLogin no 3. Place a # in front of PermitRootLogin no like so: #PermitRootLogin no 4. Exit Nano & Save the file 5. Restart sshd with service sshd restart Miscellaneous User Managements Tasks • • To change your password: passwd root List connected users w Note: This gives a result like so: Module 2: Getting around & Getting help Note: • • • • This module is for novices/newbies and people who have never used the Service Console before (sometimes referred to in the community as vmnix or the COS) The modules are NOT prescriptive – so if you would like skip and move to something more interesting please feel free to do so This section covers all the basics of using SSH and puTTy Oh, it occurs to me you might not know what these are… SSH is secure protocol (22) which allows you connect remote to an ESX host – giving a command-line interface. PuTTy is a free Page 3 of 17 ESX 3.x and VC 2.x SSH Client which is very popular in the community. This saves you using an ILO to get to the command-line environment The command-line environment is actually something called the BASH (Bourne Again Shell) • Module 3: File & Folder Management Page 4 of 17 ESX 3.x and VC 2.x Page 5 of 17 ESX 3.x and VC 2.x Module 4: Networking Note: • Networking involves the use of command esxcfg-vswitch, esxcfg-vswif0 and esxcfg-vmknic. These are quite involved commands – used in a particular order to achieve the results your are looking for. So I’ve decide to write more of a step-by-step guide than just a command-list with a brief explanation • esxcfg-vswitch is the main command – and it has a mix of parameter in lower and upper-case. Lower-case parameter manipulate the switch, where as upper-case switches manipulate the portgroup. So to add a switch its –a and add a upper-case –A adds a portgroup • In one way this is nice… but it’s incredibly easy to create a switch rather than portgroup attached to a switch… and I have done this a few times… _ Viewing your Switches & Service Console Networking 1. To view your switches type the command: esxcfg-vswitch –l Note: This shows me I have one vSwitch (vSwitch0) using one NIC (vmnic0) with one portgroup called “Service Console” which is not using VLAN. 2. To view your Service Console network settings esxcfg-vswif –l Note: Nothing to state here – but I think its interesting that it doesn’t show me my all important default gateway settings which would have been nice 3. To View your network card’s vmnic, pci (b:s:f), driver, link, speed, duplex and description: esxcfg-nics –l Creating a vSwitch (Internal) 1. To create a new switch type: esxcfg-vswitch –a vSwitch1 2. Then add a portgroup esxcfg-vswitch –A internal vSwitch1 Note: Lower-case -a for adding a switch, and upper-case -A for adding a portgroup 3. If you run the command esxcfg-vswitch –l you will see this information Page 6 of 17 ESX 3.x and VC 2.x 4. If you wish to see this reflected in the VI Client then type: service mgmt-vmware restart Note: This is how my switch configuration looks now Creating a vSwitch (Single NIC) 1. In this case we will create a new switch and port group in one line with: esxcfg-vswitch –a vSwitch2 –A production 2. Next patch a NIC to the vSwitch with esxcfg-vswitch -L vmnic1 vSwitch2 Note: Again this is a case-sensitive option. –l lists switches, whereas –L links nic’s to switches 3. If you run the command esxcfg-vswitch –l you will see this information 4. If you wish to see this reflected in the VI Client then type: service mgmt-vmware restart Page 7 of 17 ESX 3.x and VC 2.x Note: This is how my switch configuration looks now Creating a vSwitch (Multiple NIC’s) Note: It is very easy to create a NIC-Team just re-run the previous command, with a different NIC with 1. esxcfg-vswitch -L vmnic2 vSwtch1 2. If you run the command esxcfg-vswitch –l you will see this information 3. If you wish to see this reflected in the VI Client then type: service mgmt-vmware restart Note: This is how my switch configuration looks now Page 8 of 17 ESX 3.x and VC 2.x Deleting a Switch from vSwitch Note: I’m now running out NICS for the next part of this guide. So I am going to blow away my vSwitch2 to free up my NIC’s… 1. Type the command esxcfg-vswitch –d vswitch2 Note: Notice how it doesn’t ask – are you sure, but then again neither does the VI client. Creating PortGroups for VLAN Networking NIC Team 1. We have to create a switch, a portgroup for each VLAN, allocate our NIC’s and then set the VLAN ID esxcfg-vswitch –a vSwitch2 esxcfg-vswitch –A accounts vSwitch2 esxcfg-vswitch –A rnd vSwitch2 esxcfg-vswitch –A sales vSwitch2 esxcfg-vswitch –L vmnic1 vSwitch2 esxcfg-vswitch –L vmnic2 vSwitch2 2. The next part is to set the VLAN id for each network (account, rnd and sales) esxcfg-vswitch –v 10 –p accounts vSwitch2 esxcfg-vswitch –v 20 –p rnd vSwitch2 esxcfg-vswitch –v 30 –p sales vSwitch2 Page 9 of 17 ESX 3.x and VC 2.x 3. If you run the command esxcfg-vswitch –l you will see this information 4. If you wish to see this reflected in the VI Client then type: service mgmt-vmware restart Note: This is how my switch configuration looks now Creating Vmkernel Switches • • • • Note: This does seem a bit limited… I can’t see away of enabling the VMKernel switch for Vmotion Nor can I see how I would set the default gateway for the switch either You need a good name for the portgroup – because the esxcfg-vswitch command just shows as any ordinary switch… You need to use esxcfg-vmknic –l to see it • 1. First create the Switch, Portgroup and Assign a NIC esxcfg-vswitch –a vSwitch3 esxcfg-vswitch –A “VM Kernel” vSwitch3 esxcfg-vswitch –L vmnic3 vSwitch3 2. Next use the esxcfg-vmknic command to add in a VM Kernel NIC and set the IP and Subnet Mask esxcfg-vmknic –a “VM Kernel” –i 192.168.2.202 –n 255.255.255.0 3. Then set the vmkernel default gateway with esxcfg-route 192.168.2.1 4. If you run the command esxcfg-vswitch –l you will see this information Page 10 of 17 ESX 3.x and VC 2.x If you wish to see this reflected in the VI Client then type: service mgmt-vmware restart Note: This is how my switch configuration looks now Page 11 of 17 ESX 3.x and VC 2.x Changing your Service Console IP Settings Note: • You can do this through a putty session but clearly unless you have more than one vswif interface (with a different IP address) you will get disconnected • It is entirely possible – to have two vswif interface on two separate IP address – and use one connection to change the IP address of the other • You do run the risk of losing SSH connectivity if you screw up – so perhaps doing this through your ILO is a safer-bet and less hard work • You might also wish to include a new DNS entry for your ESX host before you make this change… 1. To view your current IP and Netmask type: esxcfg-vswif –l 2. To change your IP and Subnet Mask type: esxcfg-vswif –i 192.168.2.203 –n 255.255.255.0 vswf0 Note: You change your default gateway by editing nano –w /etc/sysconfig/network and then restart your networking with services network restart Your DNS settings are located in nano –w /etc/resolv.conf Setting the Speed and Duplex of NIC’s Note: Page 12 of 17 ESX 3.x and VC 2.x • • We have always been able to change the speed & duplex of the vmkernel NIC’s (ESX 2.x MUI) but in the past the only way to change the Service Console speed and duplex was by editing the /etc/modules.conf file You can now change both the Service Console and the vmkernel nics through the GUI There could be a chicken-egg/catch22 situation here though. If your Service Console NIC misneg’s its speed/duplex you maybe unable to connect with the VI client to change it. That’s when knowing the Service Console commands come in handy. _ • This can also be useful to reassign a 100Mps card to a Service Console and then fix its speed/duplex 1. Workout which NIC has been assigned to the portgroup “Service Console”with esxcfg-vswitch –l • 2. To view you current speed & duplex: esxcfg-nics –l 3. To set the speed/duplex of vmnic0 to 100Mps/Half-Duplex type: esxcfg-nics -s 100 -d half vmnic0 4. To reset to auto-neg esxcfg-nics -a vmnic0 Recreating your vswif0 Interface Note: OK, suppose something horrible goes wrong and you loose your vswif0 interface – this is how you would recreate it… 1. Logon locally to the ESX host or use your ILO card (do you have choice!) 2. Create a new switch esxcfg-vswitch -a vSwitch0 3. Create a new portgroup esxcfg-vswitch -p “Service Console” vSwitch0 4. Assign a NIC esxcfg-vswitch –L vmnic0 vSwitch0 5. Assign a vswif interface and set its ip/sn: esxcfg-vswif –a vswif0 -p “Service Console” i 192.168.2.102 –n 255.255.255.0 Removing a NIC from vSwitch • • esxcfg-vswitch –U vmnic vSwitch2 esxcfg-vswitch –D production vSwitch Deleting a PortGroup from vSwitch Managing the ESX Firewall Note: • Managing the firewall by the VI Client is real easy – it’s a tick of box style interface. If you use the GUI interface and then query with the commandline tool you get “friendly” information about what enabled. If you purely use the command-line tool you will just get TCP port numbers and directions (outgoing and incoming • They GUI tool also has some handy “built-in” friendly name for popular applications vendor specific agents like CommVault Dynamic/Static and many others Page 13 of 17 ESX 3.x and VC 2.x • By default 902 (VirtualCenter, uses TCP and UDP!), 80 (Web Access welcome page), 443 (Web Access Login page) and 22 (SSH) are enabled by default In additions there are some ports enabled for EMC AAM (Automated Availability Manager) and CIM (Common Information Model) developed by the DMTF, is a very broad approach to the management of systems and networks Other Ports worth knowing about: • • A bit like in ESX 2.x it is possible to set 3-level of security (high, medium and low) o High incoming/outgoing blocked o Medium incoming blocked, outgoing not blocked o Low firewall off, no blocking of incoming/outgoing traffic Viewing your Firewall Settings 1. Type the command esxcfg-firewall –q outgoing esxcfg-firewall –q incoming Note: You can also use esxcfg-firewall –q on its own. This gives you lots of stuff… most useful at the bottom: Changing Your Security Level Note: If you wanted to weaken your security to medium you could use 1. Type the command esxcfg-firewall –allowOutgoing –blockIncoming Note: You should get warnings like so: • Enabling a Single Service/Client/Agent Note: • If you want to SSH from an ESX host to another ESX host or SCP from an ESX host to another – you need to enable the SSH Client on port 22 • If you do this via the GUI and then do a esxcfg-firewall –q you will see friendly information like so: Page 14 of 17 ESX 3.x and VC 2.x Incoming and outgoing ports blocked by default. To do the same from the command-line you would type the command: esxcfg-firewall -e sshClient Note: To disable esxcfg-firewall -d sshClient Enabling non-Standard Ports Note: • Perhaps there is an application or service which is not listed for use with – e or –d • Or the port numbers have been changed to non-standard ports • It is possible to open a specific port by number, transport (udp/tcp) and direction (in/out) • To enable port 22 outbound from the server type the command: esxcfg-firewall -o 22,tcp,out,ssh Note: The ssh at the end is a friendly label. If I run esxcfg-firewall –q again at the bottom it states: Fixing ESX Networking after an Upgrade Note: • • If you have read my upgrade guide to ESX 3.x you will know that networking looks significantly different after an upgrade – rather than a clean install The following shows how to “clean up” networking using the Service Console commands Page 15 of 17 ESX 3.x and VC 2.x • This is how my upgraded ESX server networking looks like So what am I going to do with this? • What I am going to do is the following: o Remove the VMotion Switch0 altogether thus freeing up vmnic0 o Remove the “Legacy vmnet_0” portgroup from vSwitch1 o Remove the “Legacy vmnic2” portgroup from vSwitch2 o Remove vSwitch3 o Create a new vswif interface on a new switch called vSwitch0 using vmnic0 o Add vmnic1 to vSwitch2 o Patch all my VM’s to the Production on vSwitch2 o Create with a VM Kernel Port (vSwitch3) Removing VMotion Switch0 esxcfg-vswitch –d vSwitch0 Remove “Legacy vmnet_0” portgroup from vSwitch1 esxcfg-vswitch –D “Legacy vmnet_0” vSwitch1 Remove “Legacy vmnic2” portgroup from vSwitch2 esxcfg-vswitch -D “Legacy vmnic2″ vSwitch2 Page 16 of 17 ESX 3.x and VC 2.x Remove Old vswif Interface and Remove vSwitch3 • Disable vswif0 interface, and remove from the system You must disable the vswif interface before you delete the switch it is attached to… • Do this at the physical console via an ILO • esxcfg-vswif –d vswif0 • esxcfg-vswitch –d vSwitch3 Create a new vswif1 interface • esxcfg-vswitch -a vSwitch0 • esxcfg-vswitch -A “Service Console” vSwitch0 • esxcfg-vswitch –L vmnic0 vSwitch0 • • esxcfg-vswif –a vswif0 -p “Service Console” -i 192.168.2.x –n 255.255.255.0 Note: You will get this message Note: I found my new vswif0 interface was already enabled. But if doesn’t for you might like to try esxcfgvswif –d vswif0 Create a VM Kernel Port • esxcfg-vswitch -a vSwitch3 • esxcfg-vswitch -A “VM Kernel” vSwitch3 • esxcfg-vswitch -L vmnic3 vSwitch3 • esxcfg-vmknic -a “VM Kernel” -i 192.168.2.x -n 255.255.255.0 • esxcfg-route 192.168.2.1 Typical vSwitch Errors • Getting your case-sensitivity muddled up! o -a add vSwitch o -A add portgroup o -l list vSwitches o -L link vmnic o -d delete vSwitch o -D delete portgroup Trying to change things that are in use “Failed to remove vswitch: vSwitch3, Error: PortGroup “Legacy eth0″ on VirtualSwitch “vSwitch3″ is still in use: 1 active ports, vswif0” or “Legacy vmnic2, Error: Unable to delete portgroup “Legacy vmnic2″, for the following reasons: 1 active ports” • Page 17 of 17

Add custom field to ADUC- Employee ID

Posted on November 23rd, 2008 in Active Directory, Microsoft by Gil Kreslavsky

How to add Employee ID to Active Directory Users and Computers

1. Open ADSI Edit
2. Expand the CN=Configuration node and go to CN=DisplaySpecifiers, CN=409. Select the 409 node in the left hand pane.
3.In the right-hand pane, select the CN=user-Display object. Right click and select Properties.
4.Select the adminContextMenu attribute and click Edit.
5. We now need to add the value that will be used to create the additional menu item and direct it to the employeeID.vbs script. The syntax is very important. Be sure to include the comma at the beginning and after the menu name (Employee-ID). Add the following syntax to the Value to Add: line:
,&Employee-ID,\\servername\sharename\employeeID.vbs (your VBS file must be stored on shared location in order to allow all domain controllers to access it)
6.Change the servername and sharename items to reflect your current environment and then click Add.
7.Click OK to accept the changes and close ADSI Edit.
8.Allow some time for replication to populate the changes throughout the directory.
9.Open ADUC and select a user. Right click on the user and notice the new menu item now available.
10. Select Employee-ID to launch the script from within the ADUC. From here we can either enter a new value for the employeeID attribute for the user or hit Cancel to leave the current value intact. (Note: If no value is present in the field, then the attribute value is empty for that user.)

VBSscript – just copy and paste in notepad, than save as employeeID.vbs and copy to shared folder.

Dim objEmployeeID
Dim objSelectedUser
Dim strNewEmployeeID
Set objEmployeeID = Wscript.Arguments
Set objSelectedUser = GetObject(objEmployeeID(0))
strNewEmployeeID = InputBox(“Employee ID: ” & objSelectedUser.employeeID & vbCRLF _
& vbCRLF _
& “To enter a new Employee ID number,” _
& ” type it into the text box” _
& ” below and click OK.”)
if strNewEmployeeID <> “” Then
objSelectedUser.Put “employeeID”,strNewEmployeeID
end if
objSelectedUser.SetInfo
WScript.Quit
When you right click on user in ADUC you will see new field (EmployeeID)

ESX Failed to delete Vmap process when trying to reconfigure HA on cluster

Posted on November 23rd, 2008 in ESX Server, VMware by Gil Kreslavsky

1. Disable HA on ESX cluster

Connect to problematic server via SHH or server console :

  • rpm -ev Vmware-vpxa-<version> (you can find out the module version by doing rpm -qa | grep vpx)
  • rpm -ev <LGTO vm module> (you can find out the module name by doing rpm -qa | grep LGTO)
  • rpm -ev <LGTO agent module> (you can find out the module name by doing rpm -qa | grep LGTO)

2. Disconnect host from VC

  • Reboot Host

3. Reconnect host to VC

4. Enable HA in cluster.

Strategies for Auditing

Posted on November 23rd, 2008 in Microsoft, Server 2003, Server 2008, Sox by Gil Kreslavsky

Auditing enables you to monitor events associated with specific users, groups, and services.
These events are recorded to the security log. The capability to monitor these events is not only
useful for troubleshooting, but also is an important tool for monitoring and managing security.
You learned how you can keep tabs on the actions of specific users or groups and monitor
attempts at unauthorized access to the system or its resources.

Although you could audit every event, doing so wouldn’t be practical because you’d place an
undue load on the system and either end up with an enormous log file or spend all your time
worrying about archiving the logs. The following sections examine some specific scenarios and
how you might employ auditing.

Leaving auditing off

One option is to leave auditing off altogether, which is not a bad option in some situations.
If you’re not concerned with security, you have no real reason to enable or perform auditing.
Turning off auditing reduces system overhead and helps simplify log management; most
organizations are (or should be) concerned with security at least to some degree, however, so
this option is unlikely to fit your needs.

Turning all auditing on

At the other end of the auditing spectrum is complete auditing. If you’re very concerned about
security or shooting for C2 security certification, this may be an option. Bear in mind, however,
that your system is likely to generate a huge number of events requiring very active management
of the security log. As an alternative to full logging, consider logging only failure events and not
success events.

Auditing problem users

Certain users, for one reason or another, can become an administrator’s worst nightmare. In
some cases, it’s through no fault of the user, but instead results from problems with the user’s
profile, account, and so on. In other cases, the user can be at fault, frequently using the wrong
password, incorrectly typing the account name, trying to log on during periods when they are
not allowed, or even trying to access resources for which they have no permissions (or need). In
these situations, you can monitor events associated with the given user. You may even need to
retain the information for counseling or termination purposes.
Which types of events you audit for a given user or group depends on the problem area. Audit
account logon events, for example, if the user has trouble logging on or attempts to log on during
unauthorized hours. Track object access to determine when a user or group is attempting to
access a given resource such as a folder or file. Tailor other auditing to specific tasks and events
generated by the user or group.

Auditing administrators

Auditing administrators is a good idea, not only to keep track of what administrators are doing,
but also to detect unauthorized use of administrative privileges. Keep in mind, however, that
auditing affects system performance. In particular, consider auditing account logon events,
account management, policy change, and privilege use of an administrator only if you suspect
an individual. Instead, control administrators by delegating through the wise use of groups and
organizational units.

Auditing critical files and folders

One very common use for auditing is to track access to important folders and files. In addition
to tracking simple access, you probably want to track when users make or attempt to make
specific types of changes to the object, such as Change Permissions and Take Ownership. This
helps you monitor changes to a folder or file that could affect security.

Windows Server 2008 DNS Records

Posted on November 23rd, 2008 in Microsoft, Server 2008 by Gil Kreslavsky

A Maps host name to an address
AAAA Maps host name to Ipv6 address
AFSDB Location of Andrew File System (AFS) cell’s database server or Distributed Computing Environment (DCE) cell’s authenticated server
ATMA Maps domain name to Asynchronous Transfer Mode (ATM) address
CNAME Creates an alias (synonymous) name for the specified host
HINFO Identifies the host’s hardware and operating system type
ISDN Maps host name to Integrated Services Digital Network (ISDN) address (phone
number)
KEY Public key related to a DNS domain name
MB Associates host with specified mailbox; experimental
MG Associates host name with mail group; experimental
MINFO Specifies mailbox name responsible for mail group; experimental
MR Specifies mailbox name that is correct rename of other mailbox; experimental
MX Mail exchange server for domain
NS Specifies address of domain’s name server(s)
NXT Defines literal names in the zone; implicitly indicates nonexistence of a name if
not defined
PTR Maps address to a host name for reverse lookup
RP Identifies responsible person for domain or host
RT Specifies intermediate host that routes packets to destination host
SIG Cryptographic signature record
SOA Specifies authoritative server for the zone
SRV Defines servers for specific purpose such as http, ftp, and so on
TXT Associates textual information with item in the zone
WINS Enables lookup of host portion of domain name through WINS server
WINS-R Reverses lookup through WINS server
WKS Describes services provided by specific protocol on specific port
X.25 Maps host name to X.121 address (X.25 networks); used in conjunction with RT
records

Windows 2008 Ping Command Switches

Posted on November 23rd, 2008 in Server 2008 by Gil Kreslavsky

-t Pings continuously until terminated by Ctrl+C. Press Ctrl+Break to view statistics. Perform extended testing or check for intermittent problems.
-a Resolves address to host name. Test name resolution and troubleshoot Hosts file.
-n count Specifies number of packets to send Perform extended testing.
-l size Specifies packet size in bytes; the default is 64, the maximum is 8,192 Check for packet fragmentation and response time.
-f Sets Don’t Fragment flag in packet Prevent routers from fragmenting packet.
-i ttl Sets packet time-to-live Increase timeout on slow connections.
-v tos Sets Type of Service field Specify type of action remote router should perform on the packet.
-r count Records packet route; specify from 1 to 9 Determine route of outgoing and incoming packets.
-s count Sets timestamp for number of hops specified by count Set current hop count for the packet.
-j HostList Routes packets using host list; specify maximum of 9 hosts Direct traffic through specific route; hosts can be separated by intermediate gateways (loose source route).
-k HostList Routes packets using host list Similar to -j but hosts can’t be separated by intermediate gateways (strict source route).
-w timeout Sets packet timeout in milliseconds Increase timeout value to overcome timeout on slow connections.
-R Traces a round-trip path Trace back to client; used on IPv6 only.
-S srcaddr Source address to use Specify source address to ping from; used on IPv6 only.
-4 Forces IPv4 Force ping to use IPv4; not necessary if specifying IPv4 address.
-6 Forces IPv6 Force ping to use IPv6. target_name Specifies remote host(s) to ping Specify destination to ping.

Windows 2008 Server Roles

Posted on November 23rd, 2008 in Server 2008 by Gil Kreslavsky

Active Directory Certificate Services (AD CS). AD CS role services install on a number
of operating systems, including Windows Server 2008, Windows Server 2003, and
Windows 2000 Server. Naturally the fullest implementation of AD CS is only possible
on Windows Server 2008. You can deploy AD CS as a single standalone certification
authority (CA), or you can deploy multiple servers and configure them as root, policy, and
certificate issuing authorities. You also have a variety of Online Responder configuration
possibilities.
Active Directory Domain Services (AD DS). This is the role in the Windows Server
2008 operating system that stores information about users, computers, and other
resources on a network. AD DS is also used for directory-enabled applications such as
Microsoft Exchange Server. AD also stores all information required for Group Policy.
Active Directory Federation Services (AD FS). AD FS employs technology that
allows users over the life of a single online session to securely share digital identity
and entitlement rights, or ‘‘claims,’’ across security and enterprise boundaries. This
role—introduced and supported on all operating systems since Microsoft Windows
Server 2003 R2— provides Web Single Sign-On (SSO) services to allow a user to access
multiple, related Web applications.
Active Directory Lightweight Directory Services (AD LDS). This service is ideal if you
are required to support directory-enabled applications. AD LDS is a Lightweight Directory
Access Protocol (LDAP) compliant directory service.
Active Directory Rights Management Services (AD RMS). This service augments
an organization’s security strategy by protecting information through persistent usage
policies. The key to the service is that the right management policies are bound to the
information no matter where it resides or to where it is moved. AD RMS is used to lock
down documents, spreadsheets, e-mail, and so on from being infiltrated or ending up in
the wrong hands. AD RMS, for example, prevents e-mails from being accidentally forwarded
to the wrong people.
The Application Server role. This role supports the deployment and operation of custom
business applications that are built with Microsoft .NET Framework. The Application
Server role lets you choose services for applications that require COM+, Message Queuing,
Web services, and Distributed Coordinated Transactions.
DHCP and DNS. These two roles install these two critical network service services
required for every network. They support Active Directory integration and support IPv6.
Fax Server role. The fax server lets you set up a service to send and receive faxes over
your network. The role creates a fax server and installs the Fax Service Manager and the
Fax service on the server.

File Server role. This role lets you set up all the bits, bells, and whistles that come with a
Windows file server. This role also lets you install Share and Storage Management, the Distributed
File System (DFS), the File Server Resource Manager application for managing file
servers, Services for Network File System (NFS), Windows File Services, which include
stuff like the File Replication Service (FRS), and so on.
Network Policy and Access Services. This provides the following network connectivity
solutions: Network Access Protection (NAP), the client health policy creation, enforcement,
and remediation technology; secure wireless and wired access (802.1X), wireless
access points, remote access solutions, virtual private network (VPN) services, Radius, and
more.
Print Management role. The print services provide a single interface that you use to
manage multiple printers and print servers on your network.
Terminal Services role. This service provides technologies that enable users to access
Windows-based programs that are installed on a terminal server. Users can execute applications
remotely (they still run on the remote server) or they can access the full Windows
desktop on the target server.
Universal Description, Discovery, and Integration (UDDI). UDDI Services provide
capabilities for sharing information about Web services. UDDI is used on the intranet,
between entities participating on an extranet, or on the Internet.
Web Server role. This role provides IIS 7.0, the Web server, ASP.NET, and the Windows
Communication Foundation (WCF).


Windows Deployment Services. These services are used for deployment of new computers
in medium to large organizations.

Next Page »